Promote images on release (#22)

Add action which copies an image on new git tag

---------

Co-authored-by: Vladislav Volodkin <vlaad@amazon.co.uk>

.github/workflows/e2e-tests.yaml

@@ -11,17 +11,22 @@ on:
 #
 # Since we have a single cluster for e2e tests, we ensure that no more than one instance of this workflow is
 # running by `concurrency: e2e-cluster` option.
+#
+# Succesfull workflows triggered by push to main will upload tested image to the private repository "PROMOTED_IMAGE_NAME":
+# - uploaded images will be tagged with main branch commit number
+# - uploaded images will be later promoted to public repository by "release" workflow
 concurrency: e2e-cluster
 env:
   AWS_REGION : "us-east-1"
   KUBECONFIG: "/tmp/kubeconfig"
   COMMIT_ID: ${{ github.event_name == 'push' && github.sha || github.event.pull_request.head.sha }}
+  TMP_IMAGE_NAME: "s3-csi-driver-tmp"
+  PROMOTED_IMAGE_NAME: "s3-csi-driver"
 jobs:
   build:
     # this is to prevent the job to run at forked projects
     if: github.repository == 'awslabs/mountpoint-s3-csi-driver'
     runs-on: ubuntu-latest
-    environment: PR Integration Tests
     permissions:
       id-token: write
       contents: read
@@ -45,9 +50,10 @@ jobs:
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
-      - name: Build, tag, and push docker image to Amazon ECR Public Repository
+      - name: Build, tag, and push docker image to Amazon ECR Private Repository
         env:
           REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_NAME: ${{ env.TMP_IMAGE_NAME }}
         run: |
           BRANCH_OR_TAG=$(echo $GITHUB_REF | cut -d'/' -f3)
           export PLATFORM=linux/amd64
@@ -57,6 +63,7 @@ jobs:
       - name: Install the driver
         env:
           REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_NAME: ${{ env.TMP_IMAGE_NAME }}
         run: |
           export EKS_REGION=${{ env.AWS_REGION }}
           export EKS_CLUSTER_NAME=s3-csi-cluster
@@ -65,3 +72,11 @@ jobs:
           tests/e2e-kubernetes/install.sh
       - name: Run E2E Tests
         run: make e2e E2E_KUBECONFIG=${{ env.KUBECONFIG }} E2E_COMMIT_ID=${{ env.COMMIT_ID }}
+      - name: Promote image
+        if: ${{ github.ref_name == 'main' }}
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        run: |
+          export NEW_IMAGE_NAME=${REGISTRY}:${{ env.PROMOTED_IMAGE_NAME }}:${{ env.COMMIT_ID }}
+          docker tag ${REGISTRY}:${{ env.TMP_IMAGE_NAME }}:${{ env.COMMIT_ID }} ${NEW_IMAGE_NAME}
+          docker push ${NEW_IMAGE_NAME}

.github/workflows/release.yaml

@@ -0,0 +1,55 @@
+name: Release
+
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+      - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
+
+# This workflow copies image from testing private repository to:
+# 1) public repository
+# 2) private ARS source repository (TODO)
+env:
+  AWS_REGION : "us-east-1"
+  COMMIT_ID: ${{ github.sha }}
+  GIT_TAG: ${{ github.ref_name }}
+  IMAGE_NAME: "s3-csi-driver"
+jobs:
+  build:
+    # this is to prevent the job to run at forked projects
+    if: github.repository == 'awslabs/mountpoint-s3-csi-driver'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Configure AWS Credentials from Test acccount
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::239424963615:role/S3CSIDriverE2ETestsRole
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Login to Amazon ECR test
+        id: login-ecr-test
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Configure AWS Credentials from Prod account
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::211164257204:role/S3CSIDriverPrivateImagePublisherRole
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Login to Amazon ECR prod
+        id: login-ecr-prod
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Promote image
+        run: |
+          export IMAGE_TO_PROMOTE=${{ steps.login-ecr-test.outputs.registry }}/${{ env.IMAGE_NAME }}:${{ env.COMMIT_ID }}
+          export RELEASE_IMAGE=${{ steps.login-ecr-prod.outputs.registry }}/${{ env.IMAGE_NAME }}:${{ env.GIT_TAG }}
+          docker pull ${IMAGE_TO_PROMOTE}
+          docker tag ${IMAGE_TO_PROMOTE} ${RELEASE_IMAGE}
+          docker push ${RELEASE_IMAGE}

.github/workflows/unit-tests.yaml

@@ -1,4 +1,4 @@
-name: Go
+name: Unit tests
 
 on:
   push:
@@ -9,7 +9,6 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-    environment: PR Unit Tests
     steps:
     - uses: actions/checkout@v4
 

Makefile

@@ -28,7 +28,8 @@ GOOS=$(shell go env GOOS)
 GOBIN=$(shell pwd)/bin
 
 REGISTRY?=""
-IMAGE?=$(REGISTRY)/s3-csi-driver
+IMAGE_NAME?=""
+IMAGE?=$(REGISTRY)/${IMAGE_NAME}
 TAG?=$(GIT_COMMIT)
 
 PLATFORM?=linux/amd64,linux/arm64
@@ -50,7 +51,7 @@ push_image:
 
 .PHONY: login_registry
 login_registry:
-	aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin ${REGISTRY}
+	aws ecr get-login-password --region ${REGION} | docker login --username AWS --password-stdin ${REGISTRY}
 
 .PHONY: bin
 bin:

tests/e2e-kubernetes/install.sh

@@ -38,7 +38,7 @@ function ensure_driver_not_installed() {
 function install_driver() {
     helm upgrade --install aws-s3-csi-driver --namespace kube-system ./charts/aws-s3-csi-driver --values \
         ./charts/aws-s3-csi-driver/values.yaml \
-        --set image.repository=${REGISTRY}/s3-csi-driver \
+        --set image.repository=${REGISTRY}/${IMAGE_NAME} \
         --set image.tag=${TAG} \
         --set image.pullPolicy=Always
     kubectl rollout status daemonset s3-csi-node -n kube-system --timeout=60s